angler-fishThe Vulnerability History Project

Fixed #20936 -- When logging out/ending a session, don't create a new, empty session.

      Previously, when logging out, the existing session was overwritten by a
new sessionid instead of deleting the session altogether.

This behavior added overhead by creating a new session record in
whichever backend was in use: db, cache, etc.

This extra session is unnecessary at the time since no session data is
meant to be preserved when explicitly logging out.
by Sean the Lionfish 2013-08-19 05:36:36 UTC
commit 393c0e24223c701edeb8ce7dc9d0f852f0c081ad
Django VCC Empty Crowd Wipeout CVE-2015-5963 VCC Attack is in Session CVE-2015-5964
django/contrib/sessions/backends/base.py
+1 -8
django/contrib/sessions/backends/cached_db.py
+1 -1
django/contrib/sessions/middleware.py
+21 -28
django/contrib/sessions/tests.py
-21
docs/releases/1.8.txt
+1 -2
docs/topics/http/sessions.txt
+4 -9
expand_less